Dropbox Confirms Hack, 60 Million Stolen Passwords

Dropbox app

A few days ago, Dropbox confirmed that a 2012 hack is real. The company also unveiled that the hack is a lot worse than initially thought: hackers had access to more than 60 million accounts and their passwords.

In its initial statements, Dropbox said that hackers had compromised only the e-mail addresses.

In 2012, the company explained how the hack happened. Reportedly, hackers breached one of its key employees’ Dropbox account. That worker had uploaded a file with all users’ e-mail addresses.

The company apologized for the inconvenience (hackers used the stolen credentials to spam Dropbox users). Additionally, it pledged to “put additional controls in place” to prevent similar mishaps from occurring again.

Dropbox Silent on Password Theft

But in 2012, the company failed to tell the public that the hack compromised user passwords as well. Experts noted that, technically, attackers did not steal passwords since Dropbox security technicians had been both encrypted and salted those passwords.

Yet, hackers did steal the passwords in the encrypted form, and Dropbox omitted that detail. Hopefully, they won’t be able to decrypt them anytime soon. It is strange, however, that the cloud service took so long to confirm the hack.

According to people familiar with the matter, Dropbox team had used two types of encryption on the stolen passwords. On some of the passwords they used an older encryption standard dubbed SHA-1. But on about 32 million passwords, they employed a more secure encryption algorithm: the bcrypt.

What’s more, all passwords benefited from enhanced encryption, as Dropbox technicians added the so-called “salt” to them. Salt is a random string of characters designed to make passwords even harder to crack.

Hackers have posted the encrypted versions of the passwords on online forums but experts found no evidence that cyber criminals have compromised any password.

Situation Then and Now

In 2012, Dropbox boasted about its 100 million user base, which marked a 100 percent increase from a year prior. According to more recent reports, there are about 500 million registered users.

If indeed the company had 100 million users when the hack happened, then this means that three-fifths of its users’ accounts have been compromised.

The LinkedIn Link

One may wonder how did hackers get access to that Dropbox employee’s account. Well, they re-used that user’s LinkedIn password to access the Dropbox network. LinkedIn had been hacked in 2012 too.

So, the Dropbox breach was not 100 percent Dropbox’s fault. But the hack does emphasize the risks of re-using passwords on multiple accounts.

Ever since the file hosting service instructed its workers to never re-use passwords on their work accounts. Moreover, Dropbox now uses the password management service 1Password to help workers remember complex passwords. And internal systems now need a two-step authentication.

Cyber attackers eye cloud storage services because of the troves of personal and sensitive data they may find. For instance, in Aug. 2014, hackers breached Apple’s iCloud servers and stole heaps of private celebrity photos. The incident caught the media’s attention, as female celebrities saw their private and even compromising photos circulating freely on the Internet.

Image Source: Pixabay